FR 2.0.5 MPPE problem - worked in 2.0.4
Pshem Kowalczyk
pshem.k at gmail.com
Sat Jul 5 14:38:35 CEST 2008
Hi
We've encountered exactly the same behaviour. Basically - you're not
supposed to relay on this functionality as it is was an unsupported
feature. If you have to add some attributes to the reply from the home
server - use unlang in the post proxy section, like this:
post-proxy {
if ("%{Packet-Type}" == Access-Request) {
if ("%{proxy-reply:Framed-IP-Address}" =~ /^10\.20.*$/){
update reply {
Session-Timeout := 1
Filter-Id := "redirect"
}
}
}
}
kind regards
Pshem
2008/7/5 John Horne <john.horne at plymouth.ac.uk>:
> Hello,
>
> We are running Freeradius on some VPN servers using MPPE and PPTP. I
> have upgraded one server this afternoon from FR 2.0.4 to 2.0.5. We are
> now seeing the old (?!) error messages of MPPE not being available:
>
> ======================================================================
> Jul 4 17:40:01 betty pppd[23739]: rcvd [CHAP Response id=0x37
> <20f649170924934c
> aea705692a84956100000000000000005000d7a07dae438cc630dfe93a6f147c9a031d758b8cf2d300>,
> name = "jhorne"]
> Jul 4 17:40:01 betty pppd[23739]: sent [CHAP Success id=0x37
> "S=2A085F4D0A91C6832D347AF4305ED84C2ACF32E0"]
> Jul 4 17:40:01 betty pppd[23739]: MPPE required, but keys are not
> available. Possible plugin problem?
> Jul 4 17:40:01 betty pppd[23739]: sent [LCP TermReq id=0x2 "MPPE
> required but not available"]
> Jul 4 17:40:01 betty pppd[23739]: rcvd [CCP ConfReq id=0x4 <mppe +H
> +M +S +L -D +C>]
> ======================================================================
>
>
> None of the configuration files were changed. Our 'users' file contains
> a DEFAULT entry of:
>
> DEFAULT Service-Type == Framed-User
> MS-MPPE-Encryption-Policy = 0x00000002,
> MS-MPPE-Encryption-Types = 0x00000006
>
>
> When running FR 2.0.4 using 'radiusd -X' we can see the MPPE reply items
> present (and FR then passes them on to the PPP daemon):
>
> ==================================================================
> Login OK: [jhorne/<via Auth-Type = mschap>] (from client localhost port
> 0 cli 141.163.60.7)
> Sending Access-Accept of id 141 to 127.0.0.1 port 32769
> MS-CHAP2-Success =
> 0x9c533d43393244394538333244413042433745324241443135463241354437354233443034394544313230
> Reply-Message = "Yes"
> MS-MPPE-Recv-Key = 0x0e7596f28778d7d71a7553aadfa57e92
> MS-MPPE-Send-Key = 0x41496804da30ffb8550fa9437ee6ae5e
> MS-MPPE-Encryption-Policy = 0x00000002
> MS-MPPE-Encryption-Types = 0x00000006
> Finished request 0.
> ==================================================================
>
>
> However, with FR 2.0.5 the MPPE reply items are missing:
>
> ==================================================================
> Login OK: [jhorne] (from client localhost port 0 cli 141.163.60.7)
> Sending Access-Accept of id 144 to 127.0.0.1 port 32769
> MS-CHAP2-Success =
> 0x37533d32413038354634443041393143363833324433343741463433303545443834433241434633324530
> Reply-Message = "Yes"
> MS-MPPE-Recv-Key = 0x00fbe23240bfd5a27fa70a2e32b581b3
> MS-MPPE-Send-Key = 0xff5da890119101d1c08693d65bc3fc5b
> Finished request 0.
> ==================================================================
>
>
> As said, none of the configuration files have changed at all. It seems
> that FR 2.0.5 is dropping the reply items from the 'users' file after
> proxying, rather than passing them on.
>
>
> Has anyone else noticed this? I cannot really see anything relevant in
> the Changelog that would explain this. I'm a little stumped as to how to
> proceed with this (other than going back to 2.0.4), and it's late on a
> Friday afternoon so I'm going home to think :-)
>
>
>
> Thanks,
>
> John.
>
> --
> ---------------------------------------------------------------
> John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
> E-mail: John.Horne at plymouth.ac.uk Fax: +44 (0)1752 587001
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list